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Abstract 

The lists of bits processed in quantum key distribution are necessarily of finite length. The need 
for finite-key unconditional security bounds has been recognized long ago, but the theoretical tools 
have become available only very recently. We provide finite-key unconditional security bounds for two 
practical implementations of the Bennett-Brassard 1984 coding: prepare-and-measure implementations 
without decoy states, and entanglement-based implementations. A finite-key bound for prepare-and- 
measure implementations with decoy states is also derived under a simplified treatment of the statistical 
fluctuations. The presentation is tailored to allow direct application of the bounds in experiments. 
Finally, the bounds are also evaluated on a priori reasonable expected values of the observed parameters. 

1 Introduction 

In 1984, Bennett and Brassard remarked that quantum physics provides a solution to the cryptographic 
task of distributing a secret key and provided the first explicit protocol, known as BB84 [1]. This fact was 
re-discovered in 1991 by Ekert [2J. Since, quantum key distribution (QKD) has grown into a mature field, 
spanning a wide range of competences; several reviews have been devoted to it [21 131 [S] [S] . 
The fast development of QKD can be tracked down to the interplay of two factors. First: QKD allows 
unconditional security [3 [HI El I10| 111! I12|, I13[ I14j . which means that security can be guaranteed in an 
information-theoretical sense, without any assumption on the computational power of the eavesdropper. 
Therefore, the task in itself is interesting, because it reaches beyond anything that can be done with classical 
communication alone. Second: QKD can be implemented without entanglement [1] or with one entangled 
pair [2] and has therefore been well within reach of existing experimental technologies for several decades. 
The matching of a theoretical security proof to a real device is however a delicate matter. On the one 
hand, while unconditional security does not put any constraint on the eavesdropper, the proofs do contain 
assumptions about the behavior of the devices of the authorized partners: the quantum states that are 
prepared, the model of the detectors, the procedures used for the classical post-processing of the data... 
On the other hand, imperfections of the real devices may leak information in side channels or allow for 
Trojan Horse attacks or other purely classical hacking attacks [T3[Tni[I7]: it is clearly impossible to devise a 
security proof that would take all these failures into account (for the so-called device-independent approach 
to security and its assumptions, we refer to [IB) I19j). The development of checking procedures based on 
testable assumptions is one of the most urgent tasks at the present stage of development of QKD. 
Among the assumptions made in most unconditional security proofs, one is manifestly at odds with the 
behavior of a real device: namely, the fact that bounds are usually provided only in the asymptotic limit 
of infinitely long keys. On this issue, no convergence is possible unless the theorists make the effort of 
developing finite-key analysis. Remarkably, all the elements for a rigorous finite-key analysis were already 
present in the very first unconditional security proof by Mayers [7]. However, his work was too innovative 
and also too complex to be duly appreciated. His subsequent work with Inamori and Liitkenhaus 20] went 
also rather unnoticed; moreover, it was shown later that their approach does not yield composable security 
[55| and must therefore be abandoned. Other partial estimates showed that the finite-key correction is 
quite important in the usual range of operation of QKD systems [331 HSl [M| ■ 
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The first study, in which finite-key analysis is integrated in a proof of composable unconditional security, is 
Hayashi's analysis of the BB84 protocol with decoy states [57]. This is, to our knowledge, the only finite- 
key bound to have been applied to experimental data as of today Independently, Renner and one of 
us also developed security proofs in the non-asymptotic limit [3^1 HH] based on the formalism developed in 
Ref. |13j . In the present paper, we use this approach to derive explicit finite-key security bounds for practical 
implementations of the BB84 coding. In Section [21 we provide the general elements of finite-key formalism 
following Refs |291 130] . In Section [3] we apply these tools to one-way prepare-and-measure implementations 
of BB84 with weak coherent pulses, both without and with decoy states: we derive an unconditional security 
bound for the first and a partial bound for the second. Part of the results overlap with those of Hayashi 
and co-workers [3T] . In Section [D we repeat the same study for entanglement-based implementations of the 
BB84 coding, i.e. for the Bennett-Brassard-Mermin 1992 (BBM92) protocol [32]. 

2 Finite-key formalism 

2.1 Asymmetric BB84 protocol 

We consider the BB84 coding with asymmetric role of the bases : the key is obtained from the events in 
which both Alice and Bob have used the Z basis, while the correlations in the X basis are used to estimate 
Eve's knowledge. We write "pz the probability that the Z basis is chosen and "px — ^ — Vz the probability 
that the X basis is chosen (to keep things simple in this general survey, we assume that these probabilities 
are the same for Alice and Bob). Therefore, denoting N the length of Alice's and Bob's lists before sifting 
(basically, the number of signals detected by Bob), the raw key will be of length n — Np^, Eve's information 
is estimated on a sample consisting of m = Np\, and 2NpzPx signals are discarded in sifting. Wc denote 
by ez and ex the measured error rates in the two bases (in the whole paper, we use boldface fonts for the 
quantities that are directly measured in the protocol). 

2.2 Finite-key bound for the secret fraction 

Although the finite-key formalism has been generalized to accommodate more general forms of classical post- 
processing [30], in this paper we consider the extraction of a secret key through one-way post-processing 
without pre-processing. Out of the n pairs of bits that form the raw key, Alice and Bob want to extract a 
secret key of length £ < n. We refer to the ratio r ~ £/N as to the secret fraction. The asymptotic value of 
r is given by the well-known Devetak- Winter bound [33] 

hm r = SiX\E) - H{X\Y) (1) 

where S{X\E) S{XE) - S{E) and H{X\Y) := H{XY) - H{Y) are the conditional von Neumann and 
Shannon entropies, respectively, evaluated for the joint state of Alice and Bob's raw key and the system 
controlled by Eve (after the sifting step). The main result of Refs [5Sl[3n] says that the finite key version of 
this bound can also be cast in a rather simple form, namely 

r = pl[S^iX\E)-A{n)-leakEc] (2) 
whose terms we are going to comment: 

• The first correction to the asymptotic bound is the factor n/N = p'^. Its meaning is pretty obvious: 
only n signals out of N form the raw key. In the limit N ^ oo, one can choose pz — > 1 because a small 
fraction of signals will give an accurate enough estimation of the parameters — typically, m cx ^/N i.e. 
px oc A^^/"* [iniHl]; see also our study below. 

• The second correction is the one represented by the notation S^{X\E), the modification of Eve's 
uncertainty on single copies S{X\E). Its meaning is also obvious. Eve's information is estimated using 
measured parameters, e.g. error rates. In a finite key scenario, these parameters are estimated on 
samples of finite length: therefore, one has to allow for statistical fiuctuations. 

Specifically, let A be one of the parameters that enter Eve's information (to fix ideas, think to ex)', 
and let d be the number of outcomes of a POVM needed to estimate it (for error rates of bits, d = 2 
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since the outcomes are "Alice=Bob" and "Alice^Bob"). Suppose then that m' signals have been used 
to estimate A: then the deviation of the estimate Xm' from the ideal estimate Aoo can be quantified by 

l\ \ \ <^ C( ' A\ / In(f/£PE) + rfln(m^ + f) ' 

|A„'-Aoo| < t,(m,d) = d — (3) 

where epE is the failure probability of the parameter estimatiorjl]- We shall write the upper and the 
lower bounds compatible with the fluctuations as 

= min(A + 1) , A^ = max(A - ^, 0) (4) 

because all the A's estimated below are probabilities (error rates, fraction of multi-photon pulses etc). 
In all that follows, for simplicity of notation we shall omit the max and min. 

We stress that the notation A*^'^ was first introduced in jjl]. Here the expressions are different, since 
they considered relative errors drawn from a normal distribution, while our estimate ^ quantifies abso- 
lute errors and does not assume any specific form for the underlying distribution. This is a requirement 
of the finite-key formalism we are using. This difference will lead to some minor discrepancies with 
previously published works, see Section [3.3.21 The possibility of rephrasing the formalism in terms of 
relative errors is listed among the open issues at the end of this paper. 

• The third correction to be commented is 

A(n) = 7Ji^i^ + ^log,(l/.pA). (5) 
V n n 

This numerical term is all that is left of the technicalities of unconditional security proofs. We give here 
only a very rapid sketch of its origin and refer to [IHlEn] for all details. Eve's uncertainty is quantified 
by a generalized conditional entropy called smooth min-entropy and denoted iJ^j„(X(") jS^^^). The 
parameter s quantifies the "smoothing" : it is a parameter of the theory, whose value can be optimized 
numerically (see below). 

The smooth min-entropy cannot be computed because it is virtually impossible to parametrize the most 
general state px^y^E''^'' compatible with the few observed parameters. In a first step therefore, one 
estimates the deviation that is obtained assuming that the state consists of n independent realizations 
of a given single-copy state, i.e. Px-^y^e'-") = (o'xfe)®"- In general, this estimate requires a de Finetti- 
type theorem JJ5J, which leads however a very pessimistic overhead in finite- key analysis (though a 
recent new approach should provide a much tighter estimate [36)). For BB84 however, it turns out 
that no deviation is expected at all: because of the symmetry of the protocol, the state can be written 
as a convex combination of products of Bell states without loss of generality [12 [33] . The product 
form of the state being thus justified, it can further be proved that the smooth min-entropy is lower 
bounded by n[S^{X\E) — (5], where 5 is the first term of the sum in ((5]). The second term in the sum 
comes from the fact that, in the non-asymptotic case, the task of privacy amplification itself may fail 
with probability epA- 

• Finally, leakEc replaces H{X\Y) as the fraction to be removed in error correction. It is also well-known 
that practical error correction codes do not reach the Shannon limit. Typically, 

leakEc ~ fEcH{X\Y) + -\og^{2/e^c) (6) 

n 

where /ec > 1 depends on the code and eec is the failure probability of the error correction procedure. 
In a practical implementation, this quantity is a direct outcome of running the error-correcting code 
(although one must be careful in case a two-way error correction code is actually used [38j ) . 



The law of large numbers we are using reads Yfk=l \>^^r,{k) ~ Xoc{k)\ = ELi l^m(fc)| < VP ln(l/epE) + dln{m + l)]/m 
[37j . The constraint Efe^i-^mC^) = Efe^i-^ooC^) = li i-^- ^™(^) = 0> implies that the deviation for the parameter 

A = A(l) that we want to estimate is given by Eq. ^ — more precisely, Eq. ^ is exact for d = 2, while for d > 2 it represents 
the largest possible deviation. The factor ^ was missing in previous works |29II30) . therefore the lower bounds presented there 
may be made slightly more optimistic. After inspection, the net result is that the curves obtained for N can actually be obtained 
already for N' ~ N/2. 
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Even if everything has been carried out "perfectly" , there is no such thing as perfect security. In our 
formahsm, the security parameter e has an operational meaning: it represents the maximum probability 
failure that is tolerated on the key extraction protocol (for instance, e = 10^^" can be loosely read as: "one 
can distribute 10^° keys before something may go wrong"). With this interpretation, it is clear that the 
total security parameter is simply the sum of the probabilities of failures of each procedure described above, 
so that 

e = EEC + £ + npE £pE + epA (7) 

where npE is the number of parameters that must be estimated (for simplicity, we set all the corresponding 
epE as equal). 

2.3 Putting finite-key bounds into practice 

In the previous paragraph, we have sketched the elements that enter the calculation of the secret fraction r 
for BB84 coding in a finite-key scenario. A few remarks are needed to complete the picture. First of all, the 
performance of an implementation is not quantified by r alone, but by the secret-key rate 

K = Kr (8) 

where R is the detection rate. In this paper, we use rates per sent qubit; the usual rates per second are 
obtained by multiplying our results with the frequency at which the source is operated. 
An actual experiment is described by the following parameters: 

• The user must set his/her desired bound e on the total failure probability of the key distribution task: 
how often is one willing to tolerate that the final outcome of the post-processing is not a perfect secret 
key. 

• The post-processing code determines the size of the blocks on which privacy amplification is applied. 
This is the exact meaning of the parameter n: the length of the raw key as it is processed. Indeed, 
the raw key itself can be made longer by running the experiment for a longer time, but this mere fact 
cannot increase the security if the data are sliced and processed in blocks. 

• The choice of an error correcting code determines leakEC: i-e. /eg and Eec- 

All the other parameters can be chosen to optimize K. The three auxiliary security parameters e, epE and 
EpA are necessary in the derivation of the bound but need not be specified by the user. Their value can 
be optimized at the moment of computing r, under the constraints of being positive and satisfying ([7|). 
The parameters that enter in the design of the experiment, however, must obviously be chosen before the 
experiment is run. Explicitly, the flow of operations goes as follows: 

1. Find n, /eg and Eeg as given by the chosen post-processing code; choose e. 

2. Provide a priori expected values of the parameters that are going to be measured: detection rate R, 
error rate in either basis ex and ez, and others. Insert these expressions in the finite-key bound and 
optimize the design of the experiment: i.e. find the values of the light intensity /, of px and possibly 
of other quantities, that maximize K. 

3. Run the experiment. 

4. Insert the measured values {R, ex,ez, ...} in the finite-key bound and run again the optimization of 
r over the e's but using the value of J, px etc. used in the experiment — which may not be optimal 
for the measured values, especially if these differ significantly from the expected ones. This gives how 
much privacy amplification must be performed. 

5. Run classical post-processing and obtain the secret key. 

The procedure we have just sketched has been implicitly assumed in many previous papers, but to our 
knowledge has not been explicitly spelled out before. It is therefore worth while elaborating more on it, at 
the risk of some redundancy. Consider for instance the intensity / of the light source: it must obviously 
be chosen before the experiment is run. This choice involves an optimization between two effects: on the 
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one hand, the detection rate (so the raw key length) will increase linearly with /; on the other hand, high 
/ lead to some nuisances (e.g. Eve's information increases in prepare-and-measure schemes, or the error 
rate increases in entanglement-based schemes; see later). In order to find the optimal value of J, one has to 
provide some a priori expected expressions of the detection rate, Eve's information, error rate... as functions 
of /. For instance, if, at the calibration stage, the transmission of the quantum channel and the efficiency of 
the detectors have been measured to be, respectively, t and 77; then a priori one expects i? « Itrj. 
Now, once the experiment is run, there is no guarantee that the measured R will be equal, or even close, 
to R: Eve's attack may introduce many more losses than expected. Actually, anything can happen: for 
instance, in an entanglement-based scheme, one may observe that the error rate does not vary with the 
intensity, if Eve decides to block all the multiple-pair pulses. We don't know why Eve would do that, just as 
we do not question why she has introduced a given amount of error and not more or less: the only thing we 
must ensure is that, given the measured parameters, Eve's information is always upper-bounded. Of course, 
the value of / that we have chosen, and that would have been optimal in the expected condition, may turn 
out to be seriously sub-optimal given the measured values. But again, this is perfectly fine: it just means 
that Eve's attack is too strong for any secrecy to be extractable. 

In this paper, we take care of distinguishing clearly the security bounds, always formulated in terms of 
measured quantities and therefore applicable to any experiment, from the derived numerical bounds obtained 
using some a priori expected values. 

In what follows, we provide the finite-key bounds (both the general expression and its numerical evaluations 
for a priori expected values) for different practical implementations of the BB84 coding. 

3 Prepare-and-measure implementations with weak coherent pulses 

3.1 Asymptotic bounds 
3.1.1 Generalities 

We consider a source producing a train of weak coherent pulses of average intensity /i; the following analysis 
is valid provided no phase coherence between successive pulses [39j. In this case, the signal sent by Alice can 
equivalently be described as a Poissonian distribution of Fock states, such that the probability of sending a 
fc-photon pulse is 



Asymptotic bounds for unconditional security of such implementations have been derived using several 
approaches [101111111^; we refer to these papers and to Section IV of Ref. [S] for all details. Without loss of 
generality, one can assume that (i) Eve learns the number of photons in each pulse and adapts her strategy to 
it, and (ii) Eve forwards single-photon signals to Bob. An important step in such proofs is the reduction, or 
"squashing" , of the state of the physical signal into a qubit. Specifically, one assumes that the measurement 
performed by the photon counters can be described by first squashing the signal on a finite-dimensional 
Hilbert space, then performing a measurement in this space [40 . When those proofs were proposed, the 
squashing property of detectors was conjectured; recently, this property has been proved to hold in the case 
of BB84 [Mllil]. 

The probability that Bob detects something, given that the pulse contained k photons, is given by (fc|/i) = 
PA{k\fJ,) fk, where fk is the probability that Eve forwards a photon to Bob. Note that all the losses, both 
those due to the transmission line and those due to the detector efficiency, are included in fk and are therefore 
given to Eve: this is the so-called uncalibrated-device scenario, the only one in which unconditional security 
can be proved as of today [SJ US] and also justified by some clever realistic attacks [H]. The pB{k\y) are 
submitted to the constraint that their sum must match the total observed detection rate: 



PA{k\^J) 



e 




(9) 



R 




(10) 



k 



It is customary to write 



R 



(11) 
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Also, on fc-photon pulses, Eve introduces the error rate ex.zik) in cither basis. The measured error rates 
constrain these parameters to satisfy 

ex,z = ^>fc(M)ex,z(fc). (12) 

k 

The set of fk and ex,z{k) fully parametrize Eve's attack. 

Finally, under the additional assumption that Alice's and Bob's raw keys have maximal entropy (i.e. that 
the bit values and 1 both occur with probability 1/2), the asymptotic expression for S{A\E) for a given 
choice of /x is 

S{A\E) = min {Yoifi) + Y^ipi) [l - h{ex{l))] ] (13) 

Eve 

where h is binary entropy and the minimum must be taken over all possible choices of the and the ex,z{k) 
compatible with the measured parameters. Note that ez does not appear in Eve's information: this is a 
consequence of the fact that Eve's information on the Z basis is a function of the error introduced in the 
complementary basi^. Therefore, in discussing S{A\E) and its finite key correspondent S(^{A\E), we don't 
mention ez any more. 

3.1.2 Implementations without decoy states 

In the case of implementations without decoy states, the optimal choice of parameters is given by /o — 0, 
fk = ^ and ex{k) = for fc > 2; the estimates Yi{fi) and ex(l) are therefore fully determined by (fTUl) and 
([T^. leading to 

S{A\E) ^Y,{^l)[l-h{ix{l))] , with yi(^) = 1 - P1^^^M and ex(l) = ^ (14) 
where obviously pA{k > 2\fj,) — 1 — e^^(l + ^) . 

3.1.3 Implementations vifith decoy states 

Implementations with decoy states aim at estimating the fk and ex{k) more directly [461 1471 H5] . For each 
pulse, Alice picks at random an intensity fi € {/x^}^gr from a set of possible values (the protocol should 
specify which are these values and with which probability q-y each one is chosen, but of course not which 
one will be used for each pulse). For the items in which Bob announces a detection, Alice reveals which 
H-y was used; she and Bob can therefore estimate parameters conditioned on this information. However, 
the parameters fk and the ex.z{k) that define Eve's attack must be the same for all /i-^. Therefore, the 
constraints (fTU|) and become a set of 2|r| constraints 

= 5]pA(fc|M7)/fc, (15) 

k 

- J2^kh)ex{k) (16) 

k 

where ^^^(7) — pAikliJ-y) fk/'R'^ ■ Through this method, Eve's attack can in principle be exactly parametrized 
[48] . but this requires |r| = 00. However, only /o, /i and ex(l) enter the expression (flS]) of S{A\E), and it 
is evident that a pretty good estimate is already obtained with a few values of /i^ [37| . Asymptotically, 

SiA\E) EE SiA\E,^) = fo(7) + ^(7) [l~h{ex{l))] (17) 

where Yfe(7) = pA{k\^^) fk/R^ and where 7 is defined as the value of 7 that maximizes iiT^ = R"*" [S{A\E,j) — /i(e2)]. 
This is the case because, in the asymptotic regime, one can set 1 and use the other intensities in a 

negligible fraction of cases. In the finite-key regime, this can no longer be the case: below, for simplicity, we 
shall consider the case where the key is extracted only out of one of the intensities. 



^As well-known, one must be careful in using this intuitive argument: in the case of the six-state protocol, for instance, ez 
does enter in the expression of Eve's information even for an asymmetric implementation, see e.g. Appendix A of Ref. [5]. 
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3.1.4 An example of decoy states 



For the explicit finite-key study below, we consider a specific choice of decoy state implementation, first 
studied in the pioneering paper by Wang |47| . The protocol uses three intensities, one of which is actually 
— 0, while the other two are denoted fj,i and /in (we note here that, in theory, the condition /i = seems 
trivial to realize: just shut down the power or put an obstacle in the light path; but if the pulsing rate is 
required to be high, i.e. if the switch has to operate with high speed, it may be actually very difficult to 
shut down the power completely). The relations /ij < /in and /ije^'^' < /ine^'^", i.e. pyi(0|I) > pa(0|II) and 
Pa(1|I) < PaCIIII), are assumed to be valid. 

When n = /i0, all the pulses are empty so paIM^) — S^.o and one immediately obtains the estimates 

/o = R« , ix{0) = ei. (18) 

The estimate for /i can be extracted using either R''' = pa{0\^i^) fo +pa(1|M7) /i + R'^A''' where and 
A^^ are given respectively by Eqs. (13) and (15) of [17]; explicitly 



A 



j^i Mil _ p^ii Ml 



p^(l|I) p^(l|II) 



fo . (19) 

MiiMi 



To obtain an estimate for 6^(1), we note that (fTB|) becomes e^ — ^^3(7) ex(0)-l-Yi(7) ex(l) + i^A(7) ex (A, 7) 
where 1a (7) = A'''/R'''. Now, the two ex(A, 7) depend on 7 and are unknown, but must be non-negative; 
this implies that the largest value of ex(l) is 

ex(l) ^ min f fi^^^lM^ V (20) 
I yi(7) / 



3.2 Finite-key security bounds 

In the previous paragraph, we have collected the necessary notations and the known asymptotic bounds. 
Note that the only quantity that varies according to the implementation is S^{X\E) and the recipe to obtain 
it from the known asymptotic bounds S{X\E) is straightforward: replace the estimate of each parameter 
by its worst-case value compatible with the deviation ^(m',d) given in ([3|). Here we derive S^{A\E) from 
S{A\E), both for implementations without and with decoy states. 

3.2.1 Implementations without decoy states: unconditional security bound 

We have to identify which parameters are subject to statistical fiuctuations among those that enter in 
Eq. HID: 

• First we notice that R is just the number of signals detected by Bob N divided by the number of 
signals sent by Alice, in the given run of the experiment. No statistical estimate is involved, therefore 
there is no fluctuation here. This statement may seem surprising. To understand it fully, one must 
come back to the difference between measured values and a priori expected values (end of Section 
12. 3p . Indeed, the expected value R ~ fitrj will surely be subject to fluctuations; but this just means 
that the observed value of R may differ from fitrj. When assessing security, however, one must plug 
the measured value, and there is no reason to burden this value with a fluctuation. 

• The fraction Yi (/i) is an estimate of the fraction of signals that reach Bob arising from a single-photon 
pulse; it depends explicitly on the probability that Alice's pulse contains more than two photons, and 
this quantity is obviously subject to fiuctuations (by "bad luck" , Alice might have sent out only two- 
photon pulses!). All the N signals are involved in this estimate, which could in principle be done with 
a 2-outcomes POVM ("fc < 2" versus "fc > 2"). Therefore, with probability I-Epe, the realpA{k > 2) 
differs from the expected one pA{k > 2|/i) at most by ^{N, 2). 

• The real error rate in X basis may deviate from the observed fraction of wrong events ex; because m 
signals are used for the measurement, the deviation is bounded by f (m, 2). 

In summary, there are two parameters subject to fluctuations (npE = 2) and 

S^iA\E) = Y,^{f,)[l-h{e^Am (21) 
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with 

^1 W = 1 and e^(l) = ^^r^^-^ . (22) 

Note that Y,^{^) = yi(^) - and e^(l) « ^^^^^ + ^ = + fg^ + In particular, 

two finite-statistics effects provide corrections to the estimate of ex(l): the fact that the total error rate 
ex was estimated on m samples and the fact that the fraction of single-photon pulses was inferred from N 
samples. 

3.2.2 Implementations with decoy states: approximate bound 

For decoy states protocols, three parameters have to be estimated, namely /o, /i and ex(l); so npE = 3. 
The recipe to obtain S^{A\E) from S{A\E) is: 

• In the first constraint (|15p . one introduces fluctuations to the pA{k\iJ,j), then solves the system of 
equations for the measured values R''' and obtains the finite-key estimates for the fk', 



• One inserts these estimates into the second constraint ([T6l) . adds the fluctuations to the estimated 
error rates e^ and solves for the e^{k). 

While this second step is easy to implement, the first one is much harder and its full treatment goes beyond 
the scope of this papeJl. Here we follow a simpler recipe: we solve first (fT5|) without fluctuations, obtain 
the expressions for /o and /i, then add a fluctuation to the Yfc(7) = pA{k\l)fk- Of course, having opted for 
this simplified treatment, we cannot claim unconditional security for the derived bound. 
We particularize directly to the three- intensity protocol sketched above p.l.4p . Since the zero- pulse fractions 
10(7) are estimated using only /i0 = 0, and the POVM can be rendered by the two outcomes "detection" 
versus "no-detection" , we have 

Yo'-il) = [pA(O|7)R''-e(A^0,2)] /R^. (23) 
Similarly, once the parameter /i is estimated as ([T^ . we obtain 

Yiil) = [pa(1|7)/i-C(^7.2)] /R^ (24) 

because all the signals are involved in the virtual two-outcome POVM "less than two photons" versus 
"two and more photons". Finally, the recipe to obtain e^(l) is the usual one: insert the finite estimates 
Y^i^) and increase the measured error rates by the corresponding fiuctuations. For this last term, however, 
two points are worth noting. First, the worst case fluctuation is the one that reduces e^, because this 
amounts at increasing e^(l). Second, all the TVg events can be used to estimate this error rate: obviously, 
if Alice's pulse is empty, there is no difference between encoding in X or in Z; so Bob can assume that he 
has always used the "right" basis to measure these signals. All in all. 



' 7e{i.ii} I n^(7) 



= mi^., I " " i ■ (25) 

with ej^ = e^ + C(w^, 2) and - e ® - ^(TVe, 2). 



^Let us mention one of the reasons for such a complexity: while one has to consider and because of l|17p . it is not 
evident which fluctuation should be retained for the fk>2- In other words, given that the eavesdropper is allowed to take 
advantage of deviations from the Poissonian behavior, it is hard to quantify how Eve is going to redistribute the fluctuations 
removed from /o and fi among the other fk's. 
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3.3 A priori expected values for experiment design 

For simplicity in this paper we plot curves for a fixed value of N, the length of the unsifted kejQ- The expected 
values that we choose for our a priori expected values depend on the parameters t, the transmittivity of the 
channel Alice-Bob, rj and pd, the quantum efficiency and the dark count rate of Bob's detectors respectively. 
The expected value of the detection rate we use iCl 

= 1 - (1 - 2pd) e-^*" (26) 

Accordingly, error rates will be assumed to take the form 

ez(Ai) = ex(/i) = (27) 

where Q, often called optical quantum bit error rate, is the error induced by the channel; in a depolarizing 
channel with visibility V, the BB84 coding leads to Q = (1 — V)/2. 



3.3.1 Implementations without decoy states 

We consider first implementations without decoy states. We have to optimize 

K - R{fi)pl [S^{A\E)~A{n)~leiikEc{ez)] (28) 

for S^{A\E) given in (|2ip . over fi and over the finite- key parameters. The result is shown in Fig. [T] for a 
choice of parameters corresponding to today's state-of-the-art. We see that at least N « 10^ signals are 
required to extract a secret key. As for the optimal parameters: /i is found to be very close to the well-known 
value tr] |38l [S] irrespective of N; far from the critical distance, px is constant with the transmittivity and 
varies as TV"-"^/^, whence m ~ \/N. 



3.3.2 Implementations with decoy states: case study 

We turn now to implementations with decoy states. As we said, we consider the case where the key is 
extracted only out of the signals of intensity /zi < /zn. In this case, Alice can set px(II) = 1: whenever she 
sends out a pulse of intensity /xn, she can prepare it in the X basis because these pulses will anyway be 
used only for parameter estimation. Bob's value of px of course cannot depend on the intensities, and is 
supposed to be the same as the px (I) . The bound to be optimized reads therefore 

K = gii?(^/)pz(I)2 [5^(A|i;,I)- A(n)-leakEc(ez(I))] (29) 

where S(^{A\E,\) = Y^{\) + ^1^(1) [l " ^(ex(l))] with the expressions ([231), ^ and There is a new 

set of parameters that needs to be optimized, namely the probabilities of using each intensity. The results 
are plotted in Fig. [21 We observe that, as expected, the rates are much better than the ones obtained without 
decoy states. The optimal rates can actually be achieved by several pairs of (/ii,/iii); we fixed /in — 0.65 
and further optimized /ij: we found that [i\ k, 0.5, independent on t and slightly depending on N . Again, far 
from the critical distance px varies as N^^/"^. More interesting is the behavior of the q-^: qu decreases with 
A'^, as expected; (/g however is non-zero only for — 10^^. This behavior can be easily understood because 
the only role of the zero- intensity pulses is to provide an estimate of the dark counts. Now, on the one hand 
the dark count rate is small, so one needs many signals to estimate it conveniently; on the other hand, the 
benefit of subtracting the dark count contribution is rather small. 



*We mentioned in l2.3l that the parameter that really define an experiment is n (the size of the blocks on which post-processing 
is applied) and not A^. Of course, one could in principle run optimizations for fixed n\ but this requires the introduction of 
additional assumptions. For instance, if only n is fixed and one sets = n/p^^, then the obvious optimal is pz = i.e. N = oo 
signals are used, most of them to estimate the parameters. To avoid such situations, one may set px < Pz- However, leaving 
aside that this choice is a priori arbitrary, the situation becomes even more complicated in decoy states: for instance, one must 
make sure that none of the intensities is used infinitely many times. To avoid such complications, we find it more clear in this 
paper to keep the number of detected quantum signals fixed. A posteriori, one always find n = Np'^ !^ N — 0{VN). 

^In the expression of R{fJ.), we have neglected the contribution of double-clicks. This does not mean that double-clicks can 
just be neglected in an implementation (more in Section |4}. Actually, since our bounds are based on squashing, they must be 
replaced by a random bit and therefore contribute in a similar way as the dark counts. We neglect in the a priori expected 
values because their contribution is numerically small. 
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Finally, we compare our results with previous estimates available in the literature. The very first papers 
on decoy states realized the importance of taking statistical fluctuations of the parameters into account 
f2H ITf| . These works differ from ours, in that they assume normal distribution for the fluctuations (see 
I2.2p : moreover, they do not have the finite key correction A(n) and are therefore, strictly speaking, not 
providing lower bounds (neither were they claiming it, of course). However, their final estimates ultimately 
agree very well with ours. For instance, they had estimated that N « 10^ — 10^° is a "reasonable number of 
signals" and we arrive close to the asymptotic bound for similar values. More specifically, our plots for the 
achievable secret key rate are in remarkable agreement with those obtained in [21], once some differences 
in the choice of the numerical values of parameters are taken into account. Of course, due to the different 
way fluctuations are introduced, some details differ. For instance. Ma and coworkers [23] found the optimal 
value of g0 to be approximately 4 x 10~^ already at = 10^°, while, as stressed just above, this value is zero 
in our approach for the same N. However, the discrepancy seems to be restricted to the choice of optimal 
values for quantities that are anyway small; whence a suboptimal choice does not have a significant influence 
on the total result. 

More recently, Hayashi and coworkers have provided another approach to compute a lower bound for decoy 
state protocols. When compared to ours, a striking fact is that they obtain a non-negligible finite key rate 
for N as small as 10^ |31], while we do not obtain any key for N < 10^ signals. The comparison is not 
straightforward, since they are considering another decoy state protocol and the values of the parameters 
are different; nevertheless, their results suggests that our bounds might be improved. 



4 Entanglement-based implementations 
4.1 Asymptotic bounds 

At the moment of writing, two asymptotic bounds are available for unconditional security of an entanglement- 
based implementation of the BB84 coding (BBM92 protocol). Under the squashing model for Bob's detectors, 
whose validity has been proved for BB84 coding , Ma, Fung and Lo _^^49j proved 

S{A\E) - l-/i(ex). (30) 

This means that, even if the source is not a single-pair source, all its imperfections are taken into account in 
the measured error rate, a feature anticipated by Koashi and Preskill [SD]. This result is remarkable, since it 
is formally identical to the one obtained for single-photon sources. As such, for the finite key-bound within 
our formalism we can refer to Ref. |29j . 

More recently, Koashi and coworkers have proved a different bound [51j . which differs in the treatment of 
double-click events. In squashing, a physical double-click event is taken into account by adding a random 
bit to the raw key; the fraction of such events does not need to be measured. In the present approach, 
the double-click events are deleted from the raw key but their fraction 620 is estimated. Let R be the 
detection rate including double clicks, which is also the detection rate in the squashing model; and let R' the 
rate obtained once double-click events are removed (i.e. R — R' is the measured number of double clicks). 
Asymptotically one has the exact estimate 

= (31) 

The error rates observed in the raw key for the present approach are written and e^; they are related to 
the error rates that would be obtained by processing the same data with the squashing model through 

ex,z = (1 - <^2c) e^_z -f (52c/2 . (32) 

In particular, in the case where the z are very small (e.g. for very high optical visibility), the present 
approach shows basically no errors. Specifically, let F{62c) = (1 ^ 4(52c)/(l — S2c)- for ^ 0.08 F{d2c) one 
has 
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SiA\E) - ^^(^2 



1 



F{62c) 



(33) 



"At this stage, it is useful to explain some difference in notation between us and Ref. I51| . Our and are the error 
rates in the raw key, i.e. with the double-click events already removed; Koashi and co-workers assume — ^'z ~ J^- ^'^^ 
expression II33I I is obtained by inserting eq. (20) into 1 — t((5, e)/(l — S) from eq. (3). Indeed, in our case S{A\E) is Eve's 
uncertainty per bit of the raw key; the global factor (1 — S) will be accounted for in the detection rate R' defined below. 
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Indeed, in the regime of small errors, the asymptotic secret key rate K computed with (j33|) is larger than the 
one computed from (|30p . However, the former implies the estimation of an additional parameter, namely 
52c- It is therefore interesting to compare the two approaches in the finite-key scenario. 

4.2 Finite-key security bounds and a priori expected values 

The finite-key secret-key rate associated to the first approach ([30| is 

K = Rp| [l-;i(e^)- A(n)-leakEc(ez)] (34) 

with — ex -I- ^(m, 2). As in the case of single-photon sources, the only parameter that needs to be 
estimated is the error rate (so npE = !)• Similarly, for the second approach ([33|) one obtains 

~ A(n)-leakEc(ez)| (35) 

with e'x = + i{m, 2) and 5^^ = (R - R')/(R) + C(^, 2). Obviously here upe = 2. 

In order to compare the two approaches a priori, we need to insert an expected value of the measured 
parameters and run the optimization over the free parameters left. We consider an implementation with 
continuous- wave pumping, following paragraph VII.A.l of [5], where all details can be found; for a more 
detailed description, see 49j, especially eqs (9) and (10). The pump intensity is such that /i' pairs are 
produced within the coincidence window At; we work in the limit y = fi'Ar <^ 1 and neglect dark counts 
on Alice's side. Therefore, whenever Alice detects a photon, which happens with probability ~ y, the signal 
traveling to Bob is distributed according to pa{^) ~ 1, Pyi(2) ~ y and pAin > 2) « 0. The expected values 
for the single-click rate Ric and the corresponding error rate Q are given by 

Rijy = Rp/y + Rd/y ^ t7^[pAil)+PAi2)i2-t7^)]+2pd[pAim-tv)+PAi2)il-tr^)^] , (36) 
Q = [il~V + y)Rp + Rd]/2Ri, (37) 

(note the presence of the two-pair fraction y as a linear decrease in the observed two-photon visibility V). 
The detection rate of double clicks is 

R2c/y = PAm^itv)"" + [pa{1) + PAi2Kl - tr^mvpd + {l-trj)pl]. (38) 

So we have the a priori expected values R = Ric + i?2c, R' = Ric and S2c = R2c/{Ric + R2c)- As for the 
error rates, we identify e'^ — e'^ — Q, whence ([5^ implies ex — ez — {I — 620) Q + <52c/2. 
The result of the numerical optimization over y and the finite-key parameters is shown in Fig. [31 As expected, 
for small number of signals the squashing bound outperforms the double-click one, because the latter needs 
to estimate a second parameter. For larger number of signals, the two bounds give identical rates (the very 
small difference can be attributed to our approximations, like neglecting the cases when n > 2 pairs are 
created). The values of y and px are also basically identical for both bounds. As observed in the prepare- 
and-measure schemes, y varies little with N {y Ri 0.05 for N = 10^, y « 0.1 for large N), while px scales as 

~ iV-l/4. 



K = R'pllF{5g) 



1 - h 



X 



5 Conclusion 

In summary, we have provided security bounds for keys of finite length for several practical implementations 
of the BB84 coding. The bounds for prepare-and-measure implementations without decoy states and for 
entanglement-based implementations guarantee unconditional security; the bound for prepare-and-measure 
implementations with decoy states has been derived using a simplified treatment of the statistical fluctuations. 
We have computed these bounds for a priori expected values of the parameters that will be observed, thus 
providing some guidelines for the design of experiments. In all cases, for TV > lO""^^, we recover the asymptotic 
bounds (compare e.g. with the plots in [5j). However, prepare-and-measure implementations based on weak 
coherent pulses seem to require at least N ~ 10'' signals to produce a key; while implementations using 
entangled states, similarly to the ideal single-photon case, provide a key already for N ~ 10^. 
Let us conclude by a critical review of the possible extensions and open issues. The bounds presented in this 
paper have been derived under some assumptions. Some of them are assumptions on Alice and Bob, mostly 
inherited from the asymptotic studies from which S{A\E) was obtained. Specifically: 
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• First, we recall that, in the case of decoy states, we have used a partial treatment of the statistical 
fluctuations; also, we have provided an actual bound only for a specific choice (one intensity for the 
key signals, two for the decoys, one of which being zero). 

• In all weak coherent pulses implementations we have supposed that there is no phase coherence between 
successive pulses; in the case of entanglement-based schemes, we have assumed continuous pumping. 

• All the bounds we used assume that the bit values '0' and '1' appear the same number of times in both 
Alice's and Bob's raw keys. A systematic deviation from this assumption is expected if the detectors 
have different efficiencies, which is often the case in practice. The tools to study this case are available 
in the asymptotic scenario [52], their finite-key generalization should be the object of further work. 
Of course, in case one bit value is more frequent than the other, a conservative security bound is 
obtained by adding the number of excess bits to the information of Eve to be removed during privacy 
amplification; therefore one can use our formulas with this modification. 

• The prepare-and-measure bounds given above are not valid for Plug-and-Play configurations, even if 
the difference is ultimately expected to be small. The reason is that the "source" on Alice's side cannot 
be assumed to produce exact weak coherent pulses, because these pulses are obtained by attenuating 
an in principle unknown strong incoming signal. An asymptotic bound for unconditional security of 
Plug-and-Play configurations has been given in Ref. [S^ . Its generalization to finite keys may be done 
by following the same procedure as in this paper. 

• When we provide a priori expected values, we have always performed an optimization over px- Some 
systems may be such that this optimization cannot be easily performed (e.g., in a passive detection 
setup, one would have to change the beam-splitter that chooses between the bases). 

A second group of assumptions is related to the fact that our bounds may be the object of improvements: 

• First of all, the fact of having used the formalism developed in [29l|30] guarantees unconditional security, 
but it is not known whether the bounds are tight. Indeed, all the different approaches to security are 
known to coincide in the asymptotic regime, but this is not yet clear for the finite-key regime — and 
we hinted in 13.3.21 to an actual discrepancy between ours and other estimates in the case of decoy 
states implementations. Most of the information-theoretical estimates are generally regarded to be 
tight [13]; however, we have bounded statistical fluctuations using absolute errors ([3]); improvements 
may be obtained by using relative errors. 

• We have computed the security bounds for the case when the extraction of the secret key is done through 
one-way post-processing without pre-processing. In principle, the tools are available to compute finite- 
key bounds for two-way post-processing and including pre-processing [301 . For typical error rates, the 
improvements are supposed to be significant only close to the critical distance. 

• For simplicity, we have considered asymmetric implementations of the BB84 coding, in which the Z 
basis is used for the key and the X basis for parameter estimation. If both bases are used for the key 
(while each basis serving to estimate Eve's attack on the other), one obtains similar more complicated 
expressions, but basically (assuming px < pz) the effect is to increase X by a factor 1 + {px/pz)"^ ■ 
A similar argument can be made in the case of decoy states protocols, where we have assumed for 
simplicity that only one intensity is used for the key. 
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t[dB] 

Figure 1: Finite-key study of implementations of BB84 with weak coherent pulses, without decoy states. As 
a function of the transmittivity of the channel t: upper graph, secret key rate K from eq. (pS)) : lower graph: 
corresponding optimal value of px- Parameters: e = 10^^, Eec = 10^^", leakEc(e) ~ 1.05 /i(e), Q = 0.5%, 
7? = 0.1,pd = 10-5. 
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Figure 2: Finite-key study of implementations of BB84 with weak coherent pulses for the three-intensity 
decoy state protocol described in the text, and assuming that only the intensity [i\ is used for the key. As a 
function of the transmittivity of the channel t: upper graph, secret key rate K from eq. 1)29^ : middle graph: 
corresponding optimal values of px\ lower graph: corresponding values of g0 and q\\ (regarding the large 
fluctuations in q\\ for = 10^^: we have not tried to optimize with further precision, given that the value 
is anyway q\\ ^ 10^''). Parameters as in Fig. [TJ e = 10~^, £ec = 10~^°, leakEc(e) = 1.05 /i(e), Q = 0.5%, 
r? = 0.1, pd = 10-5. 
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Figure 3: Key rate if as a function of the attenuation t for entanglement-based implementations of the 
BB84 coding. Red curves: bound with squashing adapted from the asymptotic bound of Ref. 

Blue curves: bound with estimate of double-clicks adapted from the asymptotic bound of Ref. [5T] . 

Parameters as in Figs [U and [2l £ = 10~^, Eeg = 10"^", leakEc(e) = 1.05 /i(e), V = 0.99 (corresponding to 
Q — 0.5% if one neglects the effect of double pairs), r\ — 0.1, -pd — 10^^. 
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